Secure Network Design

Introduction

Insurance Company A and Company B have executed a consolidation of assets owned under a new company through a merger. Company B is a financial services firm that will help Company A achieve its goal of diversifying and expanding its market dominance in our industry. Following the completion of regulatory formalities, the IT staff will begin the conversion of Business B’s IT ecosystem into Corporation A’s technology. Incorporating network infrastructure, security protocols, technical specifications, maintaining encrypted communications between the companies, assuring full compliance with existing laws and recommended industry standards, reducing stress on Business A infrastructure, satisfying commercial demands after the full merger, and achieving efficiency gains are all required for this initiative to be considered successful. This venture has a budget of $35,000 and is expected to be completed in 6 months. Following the acquisition, Corporation A and B will share a single headquarters as they will be considered a new entity.

Issues identified in Company A’s network

In preparation for interoperability, the IT team hired outside experts to do a risk analysis on Company A. As a consequence of this examination, various risks and dangers were discovered inside the Company A infrastructure. The accompanying dangers were discovered in the risk assessment study. The most dangerous discovery on the system was that ports 88-93 were exposed. This is a significant risk because an unsecured port can be abused by malicious attackers to get remote access. A vulnerability like an open port might have serious consequences for Company A’s performance or resources.

Keeping user profiles that are no longer required poses a serious hazard to the security of the organization. If a hacker obtains information about these former registered users, they can exploit the system by gaining unauthorized access. As a result, to maintain security from prospective threats, the corporation must delete the previous login credentials. Moreover, because of superuser capabilities, the vulnerability assessment detects a legitimate risk likelihood of a system intrusion. Accessibility to a company system is dangerous and can lead to catastrophic consequences. To maintain its integrity and to achieve some kind of responsibility, Company A must ensure permitted admin rights to other networks (Pardoe & Snyder, 2005).

It was determined that password updates are not implemented. Because password changes are not imposed, the service is more likely to be compromised. If the passwords were the same, a hacker might potentially use them to connect directly to other devices in the network. You expose yourself to a host of possible hazards if you don’t employ efficient authentication management solutions.

Weak passwords are unsafe because they expose a vulnerability that hackers can utilize to obtain entry through brute force attacks. As a result, network administrators must implement suitable account management procedures to reduce the possibility of a system intrusion. Company A may create a secure system by executing regular upgrades and mandating the use of complex passwords. These security weaknesses are a widespread danger to total information integrity (Peterson & Davie, 2022).

We must also keep in mind that servicing for the Cisco PIX 515E firewall was set to expire on May 25, 2007. EOL refers to the time at which the intrusion detection system used by Company A has reached the end of its life cycle from the retailer’s viewpoint, and the distributor will no longer support the system. Company A was exposed to potential threats, program inconsistency, compliance concerns, increased operational cost, and poor dependability and efficiency due to an out-of-date company network and the lack of anti-virus software. Cisco ceased all maintenance for the firewalls after they approached its end-of-life date, which included things like technical assistance and replacement parts. Using out-of-date mission-critical systems exposes the system to possible risks and flaws. Furthermore, it would have a negative influence on system performance and the company rather than a positive impact.

Company A’s infrastructure is also having problems. Staff is now permitted to utilize remote workstations to connect directly to the company’s network. Users are not accessing the system in a secure manner, such as by using a VPN, which is a tunneling protocol through a network connection. Furthermore, the organization did not have a DMZ to aid increase system security through isolation. When a machine is deployed inside a DMZ, it only has access to a special connection to other computers that exist in the corporate network.

Several issues were discovered on the Company B network as a result of the foregoing examinations. These concerns will be resolved before the completion of the consolidation with Company A. The Zenmap scan returns a list of network interfaces that are exposed. Having unnecessary or insecure open ports accessible is risky because a hacker may examine the system and determine which connections are un-patched, exposed, and subject to an attack. To address this, our personnel will block all connections and only allow those that are required to run the company and prevent unauthorized access.

DMZs serve as a boundary between the company’s network and the world wide web or other systems. This DMZ functionality allows network nodes to deliver to both internal and external networks. However, Company A’s DMZ was also not properly configured. A DMZ is intended to be put behind firewalls, with rules specified to protect the Zone from the website (Forouzan, 2007). A properly configured gateway will also protect the underlying network infrastructure from the DMZ.

By installing a DMZ, you are establishing a defensive strategy, making it even more difficult for hackers to get access to the computer systems of the company via the DMZ server.

The presented organizational chart depicts a concept of information movement and interaction, classifying both computers and the connections as potential threats. In the management structure, for instance, the Head of IT serves as the overarching administrator for any difficulties that the IT team may confront. The Director of IT reports to all security professionals, Computer technicians, and support personnel, however, they are divided into levels. As a result, there is a lack of coordination inside the IT division, which harms the attempts to secure the Network (Latapy & Willinger, 2008). The failure of information dissemination consumes time, especially when the manager needs to involve networking administration for a problem originating with the support center or Computer experts. When a potentially dangerous situation emerges that necessitates an instant reaction, the time it takes to complete this procedure might cost the firm dearly. Failure to follow suitable standards and requirements exposes the organization to cybersecurity incidents. Databases are also depicted on the flow chart; however, no staff is educated in the upkeep of the databases and the information contained on them (Forouzan, 2007). Furthermore, Company A’s SMTP server lacks an account manager to manage the inbound and outbound traffic. All of the problems highlighted are a few of those uncovered while reviewing the organization structure for Company A.

Company’s B network Analysis

584835762000

6419854826000

461010-113030

The results from Company B suggest the presence of elevated cybersecurity vulnerabilities.

The obvious security vulnerabilities are rendering the company’s infrastructure vulnerable, which must be addressed before the two firms are combined. The availability of multiple open ports was one of the weaknesses that stood out; this is a problem since it demonstrates a lack of fundamental security measures (Latapy & Willinger, 2008). Failure to manage these sorts of issues weakens the infrastructure and allows hackers to get unauthorized access to the company’s database. The unsecured ports demonstrate that Company B has neglected to conduct regular vulnerability assessments that help in the diagnosis of security flaws (Cohen, 1999). Furthermore, the company’s network indicates a large number of offline nodes.

I discovered two hosts on the network with a sum of 13 high risks on the devices during the Openvas assessment. First, the standard Pfsense firewall passwords were not altered. A cybercriminal can obtain the identities and use them to gain access to the company B system. The passwords must be changed immediately as feasible to resolve this issue. There is a sum of 12 high risks on the other computer. Because firm A operates in a Windows platform, I feel it would be better to deactivate this Linux system and migrate its services to our Windows server machine.

The presence of down hosts on the network indicates an absence of multiple services.

Putting routing security at risk may result in a scenario in which hackers overwhelm a server and bring the system offline by manipulating the exploited computer. Because of poor physical authentication and authorization measures, these servers are vulnerable to being disabled or compromised. Protective measures are elements of the corporation’s necessities that make a significant contribution to the system’s security management framework (Cohen, 1999). In addition, the system searches for the presence of any unauthorized services running in the background. Unidentified services have the potential to cause network damage by utilizing a range of resources and unprotected computers.

We used effective security design concepts to assure the network’s security when developing the new Company A infrastructure. Defense-in-depth was the first premise we implemented.

Defense-in-depth is a strategy that concentrates on limiting an intruder’s progress toward the central system. In the system, for instance, an intruder would need to get over two levels to obtain access to the remote server (Latapy & Willinger, 2008). Furthermore, when visitors connect to the wifi network, they do so in a secondary Virtual Private Cloud (VPC) connection that is segregated from the core network, servers, and databases. Strong network internal controls need the use of several secure layers of protection to make it more difficult to penetrate the safeguards and cause a disturbance or obtain sensitive information.

We have put in place several protections based on regulatory compliance. RDP will be replaced with our new VPN capabilities. Users will be able to remote enter the Company A network over an SSL connection using this tool. Defending data against intentional snooping and inadvertent leaking. This functionality also shields nodes and employees from the open web when they are connected to the internal network. Company A will be subject to additional financial rules since Company B is a finance firm, such as PCI-DSS, which is a protocol for safeguarding payment information for businesses that handle, transport, or retain credit card information.

Implementing strict password management is one of the prerequisites. Users from Company A will need to authenticate to the network using VPN to obtain access to the system (Pardoe & Snyder, 2005).

Furthermore, a demilitarized zone has been integrated into the system. This is a technical phrase for transferring the most crucial access points and serving as a shield between the internet and Company A’s infrastructure. The DMZ is set up behind a gateway. In addition, it blocks all incoming packets. Only a few channels are available to facilitate interaction with the webserver. A DMZ is essential for SOX 2 audit and compliance conformance. It is a regulatory assessment that addresses a provider institution’s procedures that pertain to processes and safety in terms of privacy, validity, and uptime. Establishing a DMZ falls under the statutory need to inform on organizational protection measures. 

OSI MODEL

The OSI model is an abbreviation for the open systems interconnection network model. It is a framework that explains all of the functions of communications technology systems. The physical layer is the first layer. This category includes the Pfsense router, Netgear switches, and the Ubiquiti wi-fi access station. This layer includes the physical and electronic expression of a device. The Data Link layer follows, which joins each base station to send information. A media access control (MAC address) number is issued to each device in the network at layer 2 by the switches. Furthermore, because the switch can function at layer 3, we will be able to establish virtual Local area networks to encapsulate the system.

The network layer comes next. At this level, the Pfsense routers function. It transfers router files from one node to the next. Each computer is given an IP address, which allows devices to interact with one another. The transport layer comes after the network layer. This layer manages how data is transported between hosts and processes.

When information is transported in this level, it is conveyed in split packets within each transmission sent from the servers or host in the layout. These packets can be transmitted over TCP, which emphasizes efficiency over the accuracy, or UDP, which values frequency over quality.

Clients in our system will interact on the Session layer by using programs such as Zoom and Google Meets. This layer decides where the packets are sent and which incoming data correspond to which responses. The presentation tier, layer 6, will condense information from the data layer. When the data is transferred across this layer, the data is decrypted when the receiver receives the information. When people send messages across the network, here is an instance of this. Finally, in the OSI model, the application layer is the last level.

Deletion or retention of network components

In the Company A schematic, we highlighted two key elements that will be dropped from the system and major elements that would be preserved. The Cisco 2811 Router and the Cisco PIX 515E firewall will be decommissioned from the system as their end-of-life dates have elapsed. When the company’s maintenance for these technologies ends, the component is no longer supported. This implies that if a defect or weakness has to be resolved, it is up to the consumer to rectify the problem or remove the gadget. In our new network, we will use an app that is still under service and support lifetime and will increase performance.

A Pfsense firewall will supersede the PIX 515E firewall. This is an open-source firewall that is continually updated and is freely accessible to all. It is simple to set up and performs flawlessly In addition to creating a variety of capabilities such as virtual private networks, routing, and firewall capabilities. A Netgear 24 port ethernet switch will substitute the Cisco 2811 router. This is a low-cost switch with different functionalities that will help the infrastructure and outperform the Cisco 2811. To save money during the system reconfiguration, we kept the Windows 10 workstations from Companies A and B. Outside of these 35,000 budgets, subscriptions for these devices are featured.

In addition, the existing server hardware was kept, but a standby backup server and active directory service were introduced. The backup servers were installed to offer a network restoration source in the case of a catastrophe or crisis. Contingency planning is critical for mitigating risks that might impair communication networks.

Proposed Network design

We used secure network design concepts to assure the network’s security when developing the new Company A network. Defense-in-depth was the first premise we implemented. Defense-in-depth is a concept that focuses on limiting an attacker’s progress toward the perimeter. In our infrastructure, an intruder would need to pass through two levels to obtain access to the host machine. Furthermore, when visitors connect to the Wi-Fi network, they do so in a second virtual local area network that is segregated from the main system. Strong network security measures need the use of several security mechanisms to make it more difficult to penetrate the barriers and cause a disturbance or steal sensitive information.

In addition, we implemented the philosophy of Least access privilege into the architecture of our system. The concept of least privilege is the notion of only granting a client the level of access necessary to complete the task at hand. If the user’s work duties grow, they will need to seek permission inside the system to get authorization. We created an active directory server to handle user profiles to support this idea. All users will now have basic access permissions that will enable them to conduct their jobs. This reduces the network’s system vulnerabilities. It also simultaneously improves audit preparedness.

The two secure equipment and software elements will be combined into the solution that will fulfill the combined organization’s information security demands. First, there’s the new Pfsense platform, which combines a firewall and a router into a single machine. Pfsense will assist the requirements of the company because it records all network activity using the snort sniffing capability. It also includes a function called p0f that detects which operating system is attempting to access the Company A network. It also contains a load balancer, which is excellent for reliability. Finally, it provides VPN capability, allowing Company A users to safely access the internet.

. We determined that installing Malwarebytes on devices connected would be the best way to safeguard customers and the system from malware and viruses. It guards against cyberattacks and can do fast scans to identify risks. Furthermore, it works well with Active Directory. It can help safeguard users against drive-by infections and dangerous websites. Phishing is a security issue that might arise as a result of any network installation. The present design does not contain mail setups for filtering spam messages or scammers from the public networks. To address this issue, the team will put in place safeguards that will stop spamming or harmful communications.

Security awareness support will be conducted to account holders so that they are alert of questionable emails. Phishing is a challenging risk to defend against and can be the root cause of system cybersecurity incidents. Training users on this issue will make it more difficult for an intruder to get remote access. Controlling the equipment for the Pfsense firewall and router is a possible technical issue that might pose a risk. Pfsense is an open-source solution that will necessitate the majority of setup and deployment by the staff. In comparison to a Cisco firewall and router. Normally, it is distinct, but the computer systems are merged.

References

Cohen, F. (1999). Managing network security: Simulating network security. Network Security, 1999(4), 6–13. https://doi.org/10.1016/s1353-4858(00)80009-4

Forouzan, B. A. (2007). Network security. McGraw-Hill Higher Education.

Latapy, M., & Willinger, W. (2008). Complex Computer and Communication Networks. Computer Networks, 52(15), 2817–2818. https://doi.org/10.1016/j.comnet.2008.06.001

Pardoe, T. D., & Snyder, G. F. (2005). Network security. Thomson/Delmar Learning.

Peterson, L. L., & Davie, B. S. (2022). Computer Networks: A systems approach. Elsevier.